Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: young@ll-vlsi.arpa (George Young)
Newsgroups: comp.sys.sun
Subject: Re: Securing the Server
Keywords: Networks
Message-ID: <295@vlsi.ll.mit.edu>
Date: 21 Apr 89 23:44:12 GMT
References: <3086@udccvax1.acs.udel.EDU>
Sender: usenet@rice.edu
Organization: MIT Lincoln Laboratory, Lexington MA
Lines: 36
Approved: Sun-Spots@rice.edu
Original-Date: 30 Mar 89 17:07:24 GMT
X-Sun-Spots-Digest: Volume 7, Issue 237, message 5 of 12

We do limit access to our servers by using a separate passwd file, but
using the wildcard feature of yp to retain uid-username knowledge and
restricted rsh access for ordinary users.  The passwd file looks like:

root:opqrstuvwxyz:0:1:Operator:/:/bin/csh
nobody:*:-2:-2::/:
daemon:*:1:1::/:
sys:*:2:2::/:/bin/csh
bin:*:3:3::/bin:
laser:AbCdEfGhIjKl:34:2:&:/common/home/laser:/bin/csh
+:nologin:0:0:::/etc/login-disabled

where /etc/login-disabled is the script:
#!/bin/csh -f
if { /usr/bin/tty -s } then  #must be a login if it has a terminal
  echo Login to server is not allowed because of detrimental effect on file serving.
else
  shift			  #shift out the first arg "-c" inserted by rsh
  setenv SHELL /bin/csh
  limit  cputime 480seconds
  limit  memoryuse 240kbytes
  limit  datasize 2.5megabytes
  nice +2
  exec /bin/csh -c "$*"
endif

This arrangement gives 'root' and 'laser' full privileges.  All others
have rsh access only (with resources limited), to allow use of the
server's tape drive.  This is not intended to be absolutely secure, but
keeps people from casually logging and running huge jobs on the file
server.

George Young,  Rm. B-141		young@ll-vlsi.arpa
MIT Lincoln Laboratory			young@vlsi.ll.mit.edu
244 Wood St.
Lexington, Massachusetts 02173		(617) 981-2756